A significant security flaw was recently identified in Microsoft 365’s Export to PDF functionality, potentially allowing unauthorized access to sensitive server-side data. This Local File Inclusion (LFI) vulnerability could have exposed critical information such as configuration files, database credentials, and application source code.
Discovery and Reporting
Security researcher Gianluca Baldi uncovered this vulnerability during a client web application assessment. The assessment involved a feature that converted documents into PDF format via Microsoft 365 SharePoint integration. Baldi’s findings were reported to Microsoft, leading to a patch and a $3,000 bounty reward for his contribution to enterprise security.
Technical Details
The vulnerability exploited an undocumented behavior in Microsoft Graph APIs, which support PDF conversion from various formats, including CSV, DOC, DOCX, and others. Notably, an unexpected HTML-to-PDF conversion capability was discovered, creating an unforeseen attack vector.
This conversion process lacked proper input validation and file path restrictions, enabling path traversal attacks that could access files outside the server’s designated root directory. Attackers could embed malicious HTML tags such as `